Bug#1037444: bookworm-pu: package kanboard/1.2.26+ds-4
Attached is a revised debdiff between -2 and -2+deb12u1.
--Joe
diff -Nru kanboard-1.2.26+ds/debian/changelog
kanboard-1.2.26+ds/debian/changelog
--- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.0 -0400
+++ kanboard-1.2.26+ds/debian/changelog 2023-06-15 23:02:33.0 -0400
@@ -1,3 +1,24 @@
+kanboard (1.2.26+ds-2+deb12u1) bookworm; urgency=high
+
+ * Cherry-pick security fixes from kanboard_1.2.26+ds-[34] for bookworm.
+ * backport fix for CVE-2023-32685 from kanboard v1.2.29
+
https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+Based on upstream commits 26b6eeb & c9c1872.
+(cherry picked from commit d9b8d854f2d35831b04b84cfdda41cc7b49e3a28)
+(Closes: #1036874)
+ * backport security fixes from kanboard v1.2.30.
+ > CVE-2023-33956: Parameter based Indirect Object Referencing leading
+ to private file exposure
+ > CVE-2023-33968: Missing access control allows user to move and
+ duplicate tasks to any project in the software
+ > CVE-2023-33969: Stored XSS in the Task External Link Functionality
+ > CVE-2023-33970: Missing access control in internal task links feature
+(cherry picked from commit 4ad0ad220613bbf04bef559addba8c363fdf0dfa)
+(Closes: #1037167)
+ * point gbp & salsa at bookworm
+
+ -- Joseph Nahmias Thu, 15 Jun 2023 23:02:33 -0400
+
kanboard (1.2.26+ds-2) unstable; urgency=medium
* properly test for lighty-enable-mod.
diff -Nru kanboard-1.2.26+ds/debian/gbp.conf kanboard-1.2.26+ds/debian/gbp.conf
--- kanboard-1.2.26+ds/debian/gbp.conf 2023-05-09 06:27:15.0 -0400
+++ kanboard-1.2.26+ds/debian/gbp.conf 2023-06-15 23:02:33.0 -0400
@@ -1,3 +1,3 @@
[DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
pristine-tar = True
diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch
kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch
--- kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 1969-12-31
19:00:00.0 -0500
+++ kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 2023-06-15
23:00:52.0 -0400
@@ -0,0 +1,111 @@
+Description: fix for CVE-2023-32685
+ Clipboard based cross-site scripting (blocked with default CSP)
+ https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
+Author: Frédéric Guillot
+Origin: upstream
+Last-Update: 2023-05-24
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/assets/js/components/screenshot.js
b/assets/js/components/screenshot.js
+index a8acd64..1130bd2 100644
+--- a/assets/js/components/screenshot.js
b/assets/js/components/screenshot.js
+@@ -1,5 +1,4 @@
+ KB.component('screenshot', function (containerElement) {
+-var pasteCatcher = null;
+ var inputElement = null;
+
+ function onFileLoaded(e) {
+@@ -7,7 +6,6 @@ KB.component('screenshot', function (containerElement) {
+ }
+
+ function onPaste(e) {
+-// Firefox doesn't have the property e.clipboardData.items (only
Chrome)
+ if (e.clipboardData && e.clipboardData.items) {
+ var items = e.clipboardData.items;
+
+@@ -24,69 +22,13 @@ KB.component('screenshot', function (containerElement) {
+ }
+ }
+ }
+-} else {
+-
+-// Handle Firefox
+-setTimeout(checkInput, 100);
+ }
+ }
+
+ function initialize() {
+-destroy();
+-
+-if (! window.Clipboard) {
+-// Insert the content editable at the top to avoid scrolling down
in the board view
+-pasteCatcher = document.createElement('div');
+-pasteCatcher.id = 'screenshot-pastezone';
+-pasteCatcher.contentEditable = true;
+-pasteCatcher.style.opacity = 0;
+-pasteCatcher.style.position = 'fixed';
+-pasteCatcher.style.top = 0;
+-pasteCatcher.style.right = 0;
+-pasteCatcher.style.width = 0;
+-document.body.insertBefore(pasteCatcher,
document.body.firstChild);
+-
+-pasteCatcher.focus();
+-
+-// Set the focus when clicked anywhere in the document
+-document.addEventListener('click', setFocus);
+-
+-// Set the focus when clicked in screenshot dropzone
+-
document.getElementById('screenshot-zone').addEventListener('click', setFocus);
+-}
+-
+ window.addEventListener('paste', onPaste, false);
+ }
+
+-function destroy() {
+-if (KB.exists('#screenshot-pastezone')) {
+-KB.find('#screenshot-pastezone').remove();
+-}
+-
+-document.removeEventListener('click', setFocus);
+-pasteCatcher = null;
+-}
+-
+-function setFocus() {
+-if (pasteCatcher !== null) {
+-pasteCatcher.focus();
+-}
+-}
+-
+-function checkInput() {
+-var child = pasteCatcher.childNodes[0];
+-
+-if (child) {
+-
Processed: Re: Bug#1038122: cp: cannot stat '/tmp/odbcinst.ini.bak'
Processing control commands: > severity -1 serious Bug #1038122 [unixodbc-common] cp: cannot stat '/tmp/odbcinst.ini.bak' Severity set to 'serious' from 'important' > block 1038041 by -1 Bug #1038041 [release.debian.org] bookworm-pu: package unixodbc/2.3.11-2+deb12u1 1038041 was not blocked by any bugs. 1038041 was not blocking any bugs. Added blocking bug(s) of 1038041: 1038122 -- 1038041: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038041 1038122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038122 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: tagging 1037286
Processing commands for cont...@bugs.debian.org: > tags 1037286 + confirmed Bug #1037286 [release.debian.org] transition: libcamera 0.0.5 Added tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 1037286: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037286 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1028602: transition: gnustep-base, gnustep-gui
Processing control commands: > tags -1 = confirmed Bug #1028602 [release.debian.org] transition: gnustep-base, gnustep-gui Added tag(s) confirmed; removed tag(s) moreinfo and trixie. -- 1028602: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028602 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1028602: transition: gnustep-base, gnustep-gui
Control: tags -1 = confirmed On 2023-01-13 15:15:10 +0200, Yavor Doganov wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > X-Debbugs-Cc: pkg-gnustep-maintain...@lists.alioth.debian.org > Control: affects -1 + src:gnustep-base src:gnustep-gui > > Dear Release team, > > We would like your permission to carry out a GNUstep transition (two > libraries simultaneously with one round of binNMUs): > > libgnustep-base1.28 -> 1.29 > libgnustep-gui0.29 -> 0.30 Please go ahead. Cheers -- Sebastian Ramacher
Bug#1037286: transition: libcamera 0.0.5
Control: tags -1 confirm On 2023-06-10 10:25:29 +0200, Dylan Aïssi wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > > Dear Release Team, > > Please schedule a transition slot for libcamera 0.0.5. > > The auto-generated ben tracker looks good: > https://release.debian.org/transitions/html/auto-libcamera.html > > The unique reverse dep (pipewire 0.3.71-1) builds fine with the > new libcamera in experimental. Please go ahead. Cheers -- Sebastian Ramacher
Bug#1038140: bookworm-pu: package onionshare/2.6-5
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: onionsh...@packages.debian.org,
pkg-privacy-maintain...@alioth-lists.debian.net, he...@debian.org
Control: affects -1 + src:onionshare
[ Reason ]
The version 2.6-4 does not install icons, desktop file and appstream metadata
file at the
correct place (Closes: #1036691). So users can only run onionshare via
commandline.
[ Tests ]
Autopkgtests make sure, that the main parts of the package are still
functioning. Manual tests, that onionshare is listed in desktop menu and
that it has the correct icon. Same version is installed in sid.
[ Risks ]
No real risks, as it is only installing some files to correct places.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Do I need to do update the version with a stable extension ~deb12u1 as there
won't be any diff?
diff -Nru onionshare-2.6/debian/changelog onionshare-2.6/debian/changelog
--- onionshare-2.6/debian/changelog 2023-05-05 14:41:35.0 +0200
+++ onionshare-2.6/debian/changelog 2023-06-13 12:23:22.0 +0200
@@ -1,3 +1,10 @@
+onionshare (2.6-5) unstable; urgency=medium
+
+ * Install desktp/appmetadata at expected places. (Closes: #1036691)
+ * Install icons under usr/share/icons.
+
+ -- Sandro Knauß Tue, 13 Jun 2023 12:23:22 +0200
+
onionshare (2.6-4) unstable; urgency=medium
* Mark chat-server test as flaky, as it fails on i386 also randomly.
diff -Nru onionshare-2.6/debian/rules onionshare-2.6/debian/rules
--- onionshare-2.6/debian/rules 2022-12-22 14:32:13.0 +0100
+++ onionshare-2.6/debian/rules 2023-06-06 21:21:03.0 +0200
@@ -4,6 +4,8 @@
%:
dh $@ --buildsystem=pybuild
+SIZES = 16 32 64 128 256 512
+
override_dh_auto_build:
PYBUILD_NAME=onionshare-cli dh_auto_build --buildsystem=pybuild
--sourcedirectory cli --\
--after-build "CURDIR=$(CURDIR) BUILD_DIR={build_dir}
$(CURDIR)/debian/missing-sources/uglifyjs.sh"
@@ -24,8 +26,22 @@
rm debian/onionshare/usr/bin/onionshare-cli
execute_after_dh_auto_install:
- mkdir -p debian/onionshare/usr/share
+ mkdir -p debian/onionshare/usr/share/metainfo
+ cp desktop/org.onionshare.OnionShare.appdata.xml
debian/onionshare/usr/share/metainfo/
+ mkdir -p debian/onionshare/usr/share/applications
+ cp desktop/org.onionshare.OnionShare.desktop
debian/onionshare/usr/share/applications/
+
mv
debian/onionshare/usr/lib/python3*/dist-packages/onionshare/resources
debian/onionshare/usr/share/onionshare
+
+ # Move icons to the places where they are searched
+ mkdir -p debian/onionshare/usr/share/icons/hicolor/scalable/apps
+ cp desktop/org.onionshare.OnionShare.svg
debian/onionshare/usr/share/icons/hicolor/scalable/apps/
+ $(foreach size,$(SIZES), \
+ mkdir debian/onionshare/usr/share/icons/hicolor/$(size)x$(size); \
+ mv debian/onionshare/usr/share/onionshare/onionshare-$(size).png
debian/onionshare/usr/share/icons/hicolor/$(size)x$(size)/org.onionshare.OnionShare.png;
\
+ ln -s
/usr/share/icons/hicolor/$(size)x$(size)/org.onionshare.OnionShare.png
debian/onionshare/usr/share/onionshare/onionshare-$(size).png; \
+ ) true
+
mkdir -p debian/onionshare-cli/usr/share
mv
debian/onionshare-cli/usr/lib/python3*/dist-packages/onionshare_cli/resources
debian/onionshare-cli/usr/share/onionshare-cli
Processed: bookworm-pu: package onionshare/2.6-5
Processing control commands: > affects -1 + src:onionshare Bug #1038140 [release.debian.org] bookworm-pu: package onionshare/2.6-5 Added indication that 1038140 affects src:onionshare -- 1038140: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038140 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: transition: gdal
Processing control commands: > affects -1 + src:gdal Bug #1038115 [release.debian.org] transition: gdal Added indication that 1038115 affects src:gdal > forwarded -1 https://release.debian.org/transitions/html/auto-gdal.html Bug #1038115 [release.debian.org] transition: gdal Set Bug forwarded-to-address to 'https://release.debian.org/transitions/html/auto-gdal.html'. > block -1 by 1030129 998833 1037920 984398 1037976 Bug #1038115 [release.debian.org] transition: gdal 1038115 was not blocked by any bugs. 1038115 was not blocking any bugs. Added blocking bug(s) of 1038115: 1037976, 1030129, 998833, 1037920, and 984398 -- 1038115: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038115 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1038115: transition: gdal
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: g...@packages.debian.org Control: affects -1 + src:gdal Control: forwarded -1 https://release.debian.org/transitions/html/auto-gdal.html Control: block -1 by 1030129 998833 1037920 984398 1037976 For the Debian GIS team I'd like to transition to GDAL 3.7.0. Most reverse dependencies rebuilt successfully with GDAL 3.7.0 from experimental as summarized below. mysql-workbench (8.0.32+dfsg-1) FTBFS due to ca-certificates-java (#1030129). Once that is fixed it will likely FTBFS due to #998833. ncl (6.6.2.dfsg.1-1) FTBFS due to hdf4 (4.2.16-1): /usr/include/hdf/dfi.h:128:2: error: #endif without #if 128 | #endif /* H4_DFI_H */ | ^ This is fixed in hdf4 (4.2.16-2), but NCL still FTBFS: /usr/include/hdf/dfi.h:53:33: error: two or more data types in declaration specifiers 53 | #define float32 float | ^ /usr/include/hdf/hdfi.h:121:16: note: in expansion of macro 'float32' 121 | typedef float float32; |^~~ /usr/include/hdf/hdfi.h:121:1: warning: useless type name in empty declaration 121 | typedef float float32; | ^~~ hdf4 (4.2.16-3) contains a different fix for dfi.h that resolves this issue. python-django (3:3.2.19-1) FTBFS due to an unrelated issue (#1037920). vtk6 (6.3.0+dfsg2-8.1) FTBFS due to an unrelated issue (#984398). opencv (4.6.0+dfsg-12) FTBFS due to ca-certificates-java (#1030129). Removing the Java packages lets the package build successfully with GDAL 3.7.0. osmcoastline (2.4.0-1) FTBFS due to changes in GDAL 3.7.0 (#1037976), osmcoastline (2.4.0-2) contains a patch to fix this issue. Transition: gdal libgdal32 (3.6.4+dfsg-1) -> libgdal33 (3.7.0+dfsg-1~exp1) The status of the most recent rebuilds is as follows. cloudcompare(2.11.3-7.1) OK fiona (1.9.4-1) OK gmt (6.4.0+dfsg-2)OK grass (8.2.1-1) OK libcitygml (2.5.1-1) OK libosmium (2.19.0-1)OK mapcache(1.14.0-1)OK mapnik (3.1.0+ds-3) OK mapproxy(1.16.0+dfsg-1) OK mapserver (8.0.1-1) OK merkaartor (0.19.0+ds-3) OK mysql-workbench (8.0.32+dfsg-1) FTBFS (#998833) ncl (6.6.2.dfsg.1-1) OK octave-mapping (1.4.2-3) OK openorienteering-mapper (0.9.5-3) OK openscenegraph (3.6.5+dfsg1-8) OK paraview(5.11.0+dfsg-1) OK pgsql-ogr-fdw (1.1.3-1) OK pktools (2.6.7.6+ds-4)OK postgis (3.3.3+dfsg-2)OK python-django (3:3.2.19-1) FTBFS (#1037920) qmapshack (1.16.1-2)OK r-cran-rgdal(1.6-4+dfsg-1)OK r-cran-sf (1.0-9+dfsg-1)OK r-cran-terra(1.7-3-1) OK rasterio(1.3.7-1) OK saga(9.0.2+dfsg-1)OK vtk6(6.3.0+dfsg2-8.1) FTBFS (#984398) vtk7(7.1.1+dfsg2-10.2)OK vtk9(9.1.0+really9.1.0+dfsg2-5) OK facet-analyser (0.0~git20221121142040.6be10b8+ds1-3) OK libgdal-grass (1:1.0.2-4) OK opencv (4.6.0+dfsg-12) FTBFS (#1030129) osmcoastline(2.4.0-2) OK qgis(3.28.7+dfsg-1) OK sumo(1.15.0+dfsg-1) OK otb (8.1.1+dfsg-1)OK Kind Regards, Bas
Bug#1037466: marked as done (nmu: spirv-llvm-translator-16_16.0.0-1)
Your message dated Thu, 15 Jun 2023 12:26:15 + with message-id and subject line Bug#1037466: fixed in spirv-llvm-translator-16 16.0.0-2 has caused the Debian Bug report #1037466, regarding nmu: spirv-llvm-translator-16_16.0.0-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1037466: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037466 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu nmu spirv-llvm-translator-16_16.0.0-1 . ANY . experimental . -m "Rebuild against llvm 16.0.5" the updated llvm-16/gcc-13 combination causes symbol changes that I'd like to collect before uploading the package to unstable Andreas --- End Message --- --- Begin Message --- Source: spirv-llvm-translator-16 Source-Version: 16.0.0-2 Done: Andreas Beckmann We believe that the bug you reported is fixed in the latest version of spirv-llvm-translator-16, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1037...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Beckmann (supplier of updated spirv-llvm-translator-16 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 15 Jun 2023 14:01:00 +0200 Source: spirv-llvm-translator-16 Architecture: source Version: 16.0.0-2 Distribution: unstable Urgency: medium Maintainer: Debian OpenCL team Changed-By: Andreas Beckmann Closes: 1037466 Changes: spirv-llvm-translator-16 (16.0.0-2) unstable; urgency=medium . * Update from llvm_release_160 branch. * Upload to unstable. (Closes: #1037466) Checksums-Sha1: 2966cf4c1139d3eaeeedbedb10171c04c95dd36b 2574 spirv-llvm-translator-16_16.0.0-2.dsc 9dcd4a12e9c83673fc537c9aeb43eab8d2e7dd8d 19148 spirv-llvm-translator-16_16.0.0-2.debian.tar.xz b84358e59c23a298d8bf1c70c95ba174b6e6b9bb 7885 spirv-llvm-translator-16_16.0.0-2_source.buildinfo Checksums-Sha256: 1296a0638209ff387f6af3a7738935ae114cf94fc67d131e41236066f30e4fe2 2574 spirv-llvm-translator-16_16.0.0-2.dsc 101558e6c22f78a06b6a09f82a5dedd8462c19d4e9304beaad5b793efdbedc50 19148 spirv-llvm-translator-16_16.0.0-2.debian.tar.xz 83c0427bb30a54580d9a0d241fb5ca46582c2503b8fe982a4512f7b1661a6f5f 7885 spirv-llvm-translator-16_16.0.0-2_source.buildinfo Files: 0d07bfcac302be3a87e86787e5e5 2574 libdevel optional spirv-llvm-translator-16_16.0.0-2.dsc 07fe6aa3402ccdd8715cc8c96b494e43 19148 libdevel optional spirv-llvm-translator-16_16.0.0-2.debian.tar.xz 49dc4ca69031ee7d7eb0fdb931ec4068 7885 libdevel optional spirv-llvm-translator-16_16.0.0-2_source.buildinfo -BEGIN PGP SIGNATURE- iQJEBAEBCAAuFiEE6/MKMKjZxjvaRMaUX7M/k1np7QgFAmSK/eMQHGFuYmVAZGVi aWFuLm9yZwAKCRBfsz+TWentCJS6D/wPYUKJJvHH18UE2Q5C7ScUxVKsC+5RdP8k XiFjw6J/hwmAoXVub9b1tbVObWNtb+Y8qSF025rMTZ2XOLfGVjxe8FAoBG9OxUL2 IdG+aJ8PANt1m8iEpQbLwcZA0+8LAHoNSX5BGOWTnlMMTRHMOQ/yvrLhA0p92wbW F6qa+4CWsUu03Qm9KUHN/API0ps2O5t0U2REwxhKaCR5Sk+lI5KZYIwlcMFYdet2 dbHNeOyBNAlIx8tK7w/owsegf8/5UmMtnU5xs39uP3MSp9lae+IP32sddW6tHZvJ s1mw1UZtWKrgbc7c9aJxjWWQjzV1lhhSVdF1jZuDQE41buwSCl5nstS9qGpunwDW vtV06ZifNDuJjbWuyBoRGaE1AxyIu0AL2cLYcyo71oWvVZwlsr5TRxcwj4+7SLAj FBVzZhBbkpEN6JGYPDOe7aqg4QdoXtYxVJ1vh+kryKYh6oIfLyBzJecnQBybuJev 6dKsZK4YbNXKRoxVd2whnli+bpMS5UE1NAEMapHALBhCbot0LzdWTWCIfTKOOI5A lyOyUNq69Dls/tVEZRyQmGmxDq04VU7MX4r4srqMeYSvxxHiMmsocELiK3ilPHg3 n4O4xnoPakhxqhMpxXAcLP+7dvo7VNVQN7iyaOV8yqQiyOvdPyxPDo7E5QyeyNRJ sejmRUXk2Q== =5rFy -END PGP SIGNATURE End Message ---
Bug#1038041: bookworm-pu: package unixodbc/2.3.11-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: unixo...@packages.debian.org
Control: affects -1 + src:unixodbc
I'd like to fix two bugs in the stable version of unixodbc (2.3.11-2).
[ Reason ]
(1) Users who upgrade their system from old versions of Debian (e.g. Lenny,
Squeeze, Wheezy etc.) with odbcinst1debian1 installed are unable to upgrade to
bookworm due to a missing Breaks+Replaces against two binary packages.
Although odbcinst1debian1 hasn't existed for years, dpkg complains because
/etc/odbc.ini is also in unixodbc-common, and /usr/bin/odbcinst is also in
odbcinst.
(2) Due to an oversight on my part, the stable version of unixodbc-common has
an obsolete conffile.
[ Impact ]
(1) Users with odbcinst1debian1 installed cannot upgrade to bookworm without
removing the binary package (which really shouldn't be installed anyway). Note
that the number of uses actually affected by this bug will be very small.
(2) No impact.
[ Tests ]
(1) Testing of staged upgrades with piuparts.
(2) Manual testing of package upgrades and purging with rm_conffile in relevant
maintscripts.
[ Risks ]
The changes are minimal and well tested.
[ Checklist ]
[ x ] *all* changes are documented in the d/changelog
[ x ] I reviewed all changes and I approve them
[ x ] attach debdiff against the package in stable
[ x ] the issue is verified as fixed in unstable
diff -Nru unixodbc-2.3.11/debian/changelog unixodbc-2.3.11/debian/changelog
--- unixodbc-2.3.11/debian/changelog2022-05-23 21:14:45.0 +1000
+++ unixodbc-2.3.11/debian/changelog2023-06-15 21:05:33.0 +1000
@@ -1,3 +1,11 @@
+unixodbc (2.3.11-2+deb12u1) bookworm; urgency=medium
+
+ * unixodbc-common, odbcinst: Add Breaks+Replaces against odbcinst1debian1
+ (Closes: #1037172).
+ * unixodbc-common: Remove obsolete conffile (Closes: #1009152).
+
+ -- Hugh McMaster Thu, 15 Jun 2023 21:05:33 +1000
+
unixodbc (2.3.11-2) unstable; urgency=medium
* debian/control: Update Standards-Version to 4.6.1 (no changes needed).
diff -Nru unixodbc-2.3.11/debian/control unixodbc-2.3.11/debian/control
--- unixodbc-2.3.11/debian/control 2022-05-23 21:14:45.0 +1000
+++ unixodbc-2.3.11/debian/control 2023-06-15 19:50:03.0 +1000
@@ -88,6 +88,8 @@
Multi-Arch: foreign
Section: utils
Depends: unixodbc-common (>= ${source:Version}), ${shlibs:Depends},
${misc:Depends}
+Replaces: odbcinst1debian1
+Breaks: odbcinst1debian1
Description: Helper program for accessing ODBC configuration files
UnixODBC is an implementation of the Open Database Connectivity standard,
a database abstraction layer that allows applications to be used with
@@ -122,8 +124,8 @@
Architecture: all
Multi-Arch: foreign
Depends: ${misc:Depends}
-Replaces: odbcinst (<< 2.3.9-1~), odbcinst1debian2 (<< 2.3.9-1~)
-Breaks: odbcinst (<< 2.3.9-1~), odbcinst1debian2 (<< 2.3.9-1~)
+Replaces: odbcinst (<< 2.3.9-1~), odbcinst1debian1, odbcinst1debian2 (<<
2.3.9-1~)
+Breaks: odbcinst (<< 2.3.9-1~), odbcinst1debian1, odbcinst1debian2 (<<
2.3.9-1~)
Description: Common ODBC configuration files
UnixODBC is an implementation of the Open Database Connectivity standard,
a database abstraction layer that allows applications to be used with
diff -Nru unixodbc-2.3.11/debian/unixodbc-common.postinst
unixodbc-2.3.11/debian/unixodbc-common.postinst
--- unixodbc-2.3.11/debian/unixodbc-common.postinst 2022-05-23
21:06:12.0 +1000
+++ unixodbc-2.3.11/debian/unixodbc-common.postinst 2023-06-15
20:00:39.0 +1000
@@ -6,4 +6,11 @@
touch /etc/odbcinst.ini
fi
+dpkg-maintscript-helper rm_conffile \
+/etc/odbcinst.ini 2.3.11-2+deb12u1~ unixodbc-common -- "$@"
+
+if [ "$1" = "configure" -o "$1" = "abort-upgrade" ] && [ -n "$2" ]; then
+cp -a /tmp/odbcinst.ini.bak /etc/odbcinst.ini
+fi
+
#DEBHELPER#
diff -Nru unixodbc-2.3.11/debian/unixodbc-common.postrm
unixodbc-2.3.11/debian/unixodbc-common.postrm
--- unixodbc-2.3.11/debian/unixodbc-common.postrm 2022-05-23
21:06:12.0 +1000
+++ unixodbc-2.3.11/debian/unixodbc-common.postrm 2023-06-15
20:00:34.0 +1000
@@ -6,4 +6,7 @@
rm -f /etc/odbcinst.ini
fi
+dpkg-maintscript-helper rm_conffile \
+/etc/odbcinst.ini 2.3.11-2+deb12u1~ unixodbc-common -- "$@"
+
#DEBHELPER#
diff -Nru unixodbc-2.3.11/debian/unixodbc-common.preinst
unixodbc-2.3.11/debian/unixodbc-common.preinst
--- unixodbc-2.3.11/debian/unixodbc-common.preinst 1970-01-01
10:00:00.0 +1000
+++ unixodbc-2.3.11/debian/unixodbc-common.preinst 2023-06-15
20:00:30.0 +1000
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = "upgrade" ] && [ -e /etc/odbcinst.ini ]; then
+cp -a /etc/odbcinst.ini /tmp/odbcinst.ini.bak
+fi
+
+dpkg-maintscript-helper rm_conffile \
+/etc/odbcinst.ini 2.3.11-2+deb12u1~ unixodbc-common -- "$@"
+
+#DEBHELPER#
Processed: bookworm-pu: package unixodbc/2.3.11-2+deb12u1
Processing control commands: > affects -1 + src:unixodbc Bug #1038041 [release.debian.org] bookworm-pu: package unixodbc/2.3.11-2+deb12u1 Added indication that 1038041 affects src:unixodbc -- 1038041: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038041 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1038000: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: texlive-...@packages.debian.org, car...@debian.org
Control: affects -1 + src:texlive-bin
* Stop building *jit* binaries on i386 based arches to make TL installable
on computers not supporting sse2 (Closes: #1035461).
* Add patch for CVE-2023-32668: disable socket in luatex by default
(Closes: #1036470).
[ Reason ]
- CVE-2023-32668: luatex can open connections to other devices, w/o
notification to the end user. It is very surprising that a TeX engine
allows unrestricted network access by default. This isn’t a
"vulnerability" per se, but the feature is sufficiently dangerous,
unexpected, and rarely used for it to merit a security update.
- Not building *jit* binaries: currently users having a CPU without sse2
support are not able to use TL at all, b/c texlive-binaries is not
installable. The Dep on sse2-support was introduced in late release
cycle of bookworm, it is a regression to bullseye.
[ Impact ]
- Small security leak in luatex.
- Some people can't use TeX Live at all.
[ Tests ]
The patch for CVE-2023-32668 comes from upstream, was tested there and is
part of the luatex 1.17.0 release. I can confirm that the network access
is disabled with the patch applied.
The patch for not needing sse2 is rather trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
Both fixes will be uploaded to experimental shortly as soon as TL 2023 is
packaged. The *jit* change will look a little differently: I'll split the
*jit* binaries into a new package, so people having sse2 capable CPU's will
still be able to use the jit feature.
[ Other info ]
The ConteXt mtxrun needs the --socket feature enabled, else the MkIV engine
won't work. Hence we need an update of the context package too, which enables
that feature by runtime. Therefore a 2nd debdiff is attached.
--
sigmentation fault
diff -Nru texlive-bin-2022.20220321.62855/debian/changelog texlive-bin-2022.20220321.62855/debian/changelog
--- texlive-bin-2022.20220321.62855/debian/changelog 2023-05-18 23:15:13.0 +0200
+++ texlive-bin-2022.20220321.62855/debian/changelog 2023-06-12 23:19:18.0 +0200
@@ -1,3 +1,12 @@
+texlive-bin (2022.20220321.62855-5.1+deb12u1) UNRELEASED; urgency=medium
+
+ * Stop building *jit* binaries on i386 based arches to make TL installable
+on computers not supporting sse2 (Closes: #1035461).
+ * Add patch for CVE-2023-32668: disable socket in luatex by default
+(Closes: #1036470).
+
+ -- Hilmar Preusse Mon, 12 Jun 2023 23:19:18 +0200
+
texlive-bin (2022.20220321.62855-5.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru texlive-bin-2022.20220321.62855/debian/control texlive-bin-2022.20220321.62855/debian/control
--- texlive-bin-2022.20220321.62855/debian/control 2023-05-18 23:15:13.0 +0200
+++ texlive-bin-2022.20220321.62855/debian/control 2023-06-12 23:19:18.0 +0200
@@ -50,13 +50,12 @@
libtexlua53-5 (<< ${source:Version}.1~),
libtexluajit2 (>= ${source:Version}) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc],
libtexluajit2 (<< ${source:Version}.1~) [amd64 armel armhf hurd-i386 i386 kfreebsd-amd64 kfreebsd-i386 powerpc],
- sse2-support [i386],
t1utils, tex-common, perl:any,
${shlibs:Depends}, ${misc:Depends}
Recommends: texlive-base, dvisvgm
Replaces: ptex-bin, mendexk, jmpost, luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329)
Conflicts: mendexk, makejvf, jmpost
-Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329)
+Breaks: texlive-base (<< 2021), luatex (<< 2014), gregorio (<= 2.3-1), texlive-extra-utils (<< 2020.20200329), texlive-luatex (<< 2020.20200329), context (<= 2021.03.05.20230120+dfsg-1)
Provides: texlive-base-bin, makejvf, mendexk, jmpost, luatex
Description: Binaries for TeX Live
This package contains all the binaries of TeX Live packages.
diff -Nru texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch
--- texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 1970-01-01 01:00:00.0 +0100
+++ texlive-bin-2022.20220321.62855/debian/patches/CVE-2023-32668.patch 2023-06-12 23:19:18.0 +0200
@@ -0,0 +1,234 @@
+--- texlive-bin.orig/texk/web2c/luatexdir/lua/loslibext.c
texlive-bin/texk/web2c/luatexdir/lua/loslibext.c
+@@ -1046,6 +1046,59 @@
+ return ret;
+ }
+
++/* socket.sleep and socket.gettime */
++/* are duplicated here, and they are*/
++/* always available (the socket library */
++/* can be nil in some setups) */
Processed: bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1
Processing control commands: > affects -1 + src:texlive-bin Bug #1038000 [release.debian.org] bookworm-pu: package texlive-bin/2022.20220321.62855-5.1+deb12u1 Added indication that 1038000 affects src:texlive-bin -- 1038000: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038000 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1037990: bookworm-pu: package nvidia-support/20220217+3~deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu [ Reason ] Upgrades from bullseye to bookworm may fail while building kernel modules with dkms if some obsolete nvidia-*-dkms packages (that have no successor in bookworm) are still installed. (The dkms hook in bookworm no longer returns success if building a module has failed.) Let's add some Breaks against them (to nvidia-installer-cleanup which has the highest score from apt in these scenarios), to ensure the obsolete packages (and anything depending on them) gets removed during the upgrade to bookworm. [ Impact ] upgrade failures [ Tests ] lots of piuparts upgrade tests in my local piuparts instance (which handles non-free, too) [ Risks ] low, only affect packages not in bookworm [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] +nvidia-support (20220217+3) unstable; urgency=medium + + * nvidia-installer-cleanup: Add Breaks against obsolete nvidia-*-dkms +packages from bullseye that are incompatible with the bookworm kernel. [ Other info ] Andreas diff --git a/debian/changelog b/debian/changelog index 4fa6b49..15fda43 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +nvidia-support (20220217+3~deb12u1) bookworm; urgency=medium + + * Rebuild for bookworm. + + -- Andreas Beckmann Thu, 15 Jun 2023 10:37:21 +0200 + +nvidia-support (20220217+3) unstable; urgency=medium + + * nvidia-installer-cleanup: Add Breaks against obsolete nvidia-*-dkms +packages from bullseye that are incompatible with the bookworm kernel. + + -- Andreas Beckmann Mon, 12 Jun 2023 16:55:42 +0200 + nvidia-support (20220217+2) unstable; urgency=medium [ Andreas Beckmann ] diff --git a/debian/control b/debian/control index 3947885..e51c7f0 100644 --- a/debian/control +++ b/debian/control @@ -31,6 +31,9 @@ Conflicts: nvidia-current, nvidia-current-updates, nvidia-driver-binary, +Breaks: + nvidia-tesla-418-kernel-dkms (<< 418.226.00-9~), + nvidia-tesla-460-kernel-dkms (<< 460.106.00-9~), Description: cleanup after driver installation with the nvidia-installer This package ensures that no remnants of the non-free NVIDIA graphics drivers that were installed with the nvidia-installer remain on the
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Hi Salvatore,
Le 15/06/2023 à 07:21, Salvatore Bonaccorso a écrit :
Hi Pierre,
On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote:
[...]
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04
14:24:45.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13
23:19:59.0 +0200
@@ -1,3 +1,9 @@
+xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm)
+
+ -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200
Can you as well add the Debian bug closer for #1036706 here?
Thanks for looking at my diff. I admit I had not considered closing the
bug here since it has already been declared as closed by the upload to
unstable, I would have issued a BTS command after this proposal hits
bookworm.
Anyway, thanks for educating me on this.
Enclosed is the new source debdiff, everything else in the original
message of this bug thread remains unchanged.
Regards,
Salvatore
Best,
--
Pierre
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.0 +0200
@@ -1,3 +1,10 @@
+xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm,
+Closes: #1036706)
+
+ -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200
+
xerial-sqlite-jdbc (3.40.1.0+dfsg-1) unstable; urgency=medium
* New upstream version 3.40.1.0+dfsg
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 1970-01-01 01:00:00.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/CVE-2023-32697.patch 2023-06-13 23:17:23.0 +0200
@@ -0,0 +1,28 @@
+Description: fixing CVE-2023-32697
+Author: Pierre Gruet
+Origin: upstream, https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242
+Bug: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2
+Bug-Debian: https://bugs.debian.org/1036706
+Forwarded: not-needed
+Applied-Upstream: edb4b8adc2447bc04e05b9b908195a4bc7926242
+Last-Update: 2023-06-13
+
+--- a/src/main/java/org/sqlite/SQLiteConnection.java
b/src/main/java/org/sqlite/SQLiteConnection.java
+@@ -13,6 +13,7 @@
+ import java.sql.ResultSet;
+ import java.sql.SQLException;
+ import java.util.Properties;
++import java.util.UUID;
+ import java.util.concurrent.Executor;
+ import org.sqlite.SQLiteConfig.TransactionMode;
+ import org.sqlite.core.CoreDatabaseMetaData;
+@@ -303,7 +304,7 @@
+ }
+
+ String tempFolder = new File(System.getProperty("java.io.tmpdir")).getAbsolutePath();
+-String dbFileName = String.format("sqlite-jdbc-tmp-%d.db", resourceAddr.hashCode());
++String dbFileName = String.format("sqlite-jdbc-tmp-%s.db", UUID.randomUUID());
+ File dbFile = new File(tempFolder, dbFileName);
+
+ if (dbFile.exists()) {
diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series
--- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-02-02 17:16:53.0 +0100
+++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/patches/series 2023-06-13 23:10:58.0 +0200
@@ -7,3 +7,4 @@
skip_OSInfoTest.patch
tests_without_archunit-junit5_and_some_assertions.patch
junit-jupiter-params_artifact.patch
+CVE-2023-32697.patch
OpenPGP_signature
Description: OpenPGP digital signature
